You can see the active rules that are in the kernel (netfilter) with:
Code: Select all
iptables -t mangle -S
iptables -t nat -S
Hint: grep inside0 (if that is the name of the bridge) from the output and then look for other rules that seem to relate to what you see.
The net.bridge.bridge-nf-call* are not necessary. Originally the bridged traffic never did enter the netfilter. At some point kernel was changed to filter also the bridged traffic.
has some flowcharts.
However, at least in Red Hat the net.bridge.bridge-nf-call* = 0
config did appear quite soon to maintain the old "unfiltered" behaviour.
When the virtualization started to boom, this became even more important, cutting "unnecessary" overhead. This config had some issues though, the /etc/sysctl.conf was processed before
the kernel had the net.bridge.bridge-nf-call*.
On 7.3 the kernel has the changed again. The module that would enable filtering bridged traffic is not loaded
by default. Hence no need to set those variables.
When your VM's talk with PhyLAN devices via br3, that is bridged traffic. The br2 bridges too.
When a VM in inside0 talks with PhyLAN devices, that is not bridged. That is where the baremetal host routes between inside0 network and br3 network.